I hear that Fedora 18 will come with Samba 4

Andreas Schneider asn at samba.org
Thu Aug 2 00:29:07 MDT 2012 

On Wednesday 01 August 2012 21:10:23 Richard Sharpe wrote:
> Hi folks,

Hi Richard,

> Is anyone making sure that the transition from Samba 3 to Samba 4
> after an upgrade works fine?

Samba 4 AD DC functionality relies heavily on Heimdal Kerberos implementation. 
Samba 4 includes the embedded Heimdal, if your system misses it, like we have 
in Fedora. When embedded Heimdal is in use, all Samba 4 code is compiled 
against this Kerberos implementation, including client side libraries and 
tools, and traditional file serving smbd daemon we know as 'samba' package in 
Fedora.

Fedora uses MIT Kerberos implementation, both server and client side. Heimdal 
and MIT Kerberos are targetting to implement the same Kerberos V protocol but 
have their own extensions API and certain semantical differences. They also 
have slightly different meaning to Kerberos credential cache files format 
where Kerberos-aware applications store their Kerberos keys. While this is not 
an issue for client-server communication over a network (a Heimdal client does 
talk the same Kerberos V protocol that MIT Kerberos server understands and 
vice versa), interoperability of the client or server code using the same 
credential cache files on the same system is much less supported for advanced 
features like S4U2Proxy and S4U2Self.

It is generally not advisable to load two different API implementations into 
the same address space either. When the rest of the system libraries is 
compiled against MIT Kerberos, use of them within Samba 4 code brings in MIT 
Kerberos as well. This happens, for example, when linking against OpenLDAP 
client libraries and using SASL authentication.

As part of work we are doing on FreeIPA v3, we have made possible to compile 
Samba 4 code against MIT Kerberos implementation. Unfortunately, MIT Kerberos 
does not give option of embedding Kerebros KDC server within another process 
which is required for Samba 4 AD DC functionality. Thus, when compiled with 
MIT Kerberos, Samba 4 currently does not provide Active Directory Domain 
Controller functionality at all, only client side libraries and tools to the 
extent that does not involve AD DC operations. Also, smbd is compiled against 
MIT Kerberos and provides functionality equivalent to what is provided by 
Samba 3's smbd.

We are intending to make possible use of AD DC functionality with MIT Kerberos 
but this is longer term project that requires cooperation between Samba, MIT, 
and FreeIPA.


So Samba 4.0.0 in F18 will proivde the same as Samba 3.6.6 and in addition the 
new client libraries and python bindings.


Cheers,


	-- andreas

-- 
Andreas Schneider                   GPG-ID: F33E3FC6
Samba Team                             asn at samba.org
www.samba.org

More information about the samba-technical mailing list